Abstract: Embodiments described herein are generally directed to the use of sidecars to perform dynamic API contract generation and conversion. In an example, a first sidecar of a source microservice intercepts a first call to a first API exposed by a destination microservice. The first call makes use of a first API technology specified by a first contract and is originated by the source microservice. An API technology is selected from multiple API technologies. The selected API technology is determined to be different than the first API technology. Based on the first contract, a second contract is dynamically generated that specifies an intermediate API that makes use of the selected API technology. A second sidecar of the destination microservice is caused to generate the intermediate API and connect the intermediate API to the first API.

Abstract: Various systems and methods are described to enable cyber-physical protections in edge computing platforms, including with countermeasures that mitigate and halt a variety of digital or real-world attacks. In an example, an attack detection and response engine is used to monitor processing circuitry, with operations that: identify operational data from processing circuitry that operates multiple layers (e.g., of an IP block) to perform compute operations, with trust of the processing circuitry established based on attestation of a hardware root of trust (RoT); evaluate the operational data to identify an attack condition at the processing circuitry, based on monitoring an operational layer of the multiple layers; and provide a digital attack response to the processing circuitry, in response to identifying the attack condition, to deploy the digital attack response and cause a countermeasure at the operational layer of the processing circuitry.

Abstract: Methods, systems, and use cases for one-touch inline cryptographic data security are discussed, including an edge computing device with a network communications circuitry (NCC), an enhanced DMA engine coupled to a memory device and including a cryptographic engine, and processing circuitry configured to perform a secure exchange with a second edge computing device to negotiate a shared symmetric encryption key, based on a request for data. An inline encryption command for communication to the enhanced DMA engine is generated. The inline encryption command includes a first address associated with a storage location storing the data, a second address associated with a memory location in the memory device, and the shared symmetric encryption key. The data is retrieved from the storage location using the first address, the data is encrypted using the shared symmetric encryption key, and the encrypted data is stored in the memory location using the second address.

Abstract: In one embodiment, a method includes: receiving, in an edge platform, a plurality of messages from a plurality of edge devices coupled to the edge platform, the plurality of messages comprising metadata including priority information and granularity information; extracting at least the priority information from the plurality of messages; storing the plurality of messages in entries of a pending request queue according to the priority information; selecting a first message stored in the pending request queue for delivery to a destination circuit; and sending a message header for the first message to the destination circuit via at least one interface circuit, the message header including the priority information, and thereafter sending a plurality of packets including payload information of the first message to the destination circuit via the at least one interface circuit. Other embodiments are described and claimed.

Abstract: Various systems and methods for enabling derivation and distribution of an attestation manifest for a software update image are described. In an example, these systems and methods include orchestration functions and communications, providing functionality and components for a software update process which also provides verification and attestation among multiple devices and operators.

Abstract: Various aspects of methods, systems, and use cases for verification and attestation of operations in an edge computing environment are described, based on use of a trust calculus and established definitions of trustworthiness properties. In an example, an edge computing verification node is configured to: obtain a trust representation, corresponding to an edge computing feature, that is defined with a trust calculus and provided in a data definition language; receive, from an edge computing node, compute results and attestation evidence from the edge computing feature; attempt validation of the attestation evidence based on attestation properties defined by the trust representation; and communicate an indication of trustworthiness for the compute results, based on the validation of the attestation evidence. In further examples, the trust representation and validation is used in a named function network (NFN), for dynamic composition and execution of a function.

Abstract: Methods, apparatus, and systems are disclosed for mapping active assurance intents to resource orchestration and life cycle management. An example apparatus disclosed herein is to reserve a probe on a compute device in a cluster of compute devices based on a request to satisfy a resource availability criterion associated with a resource of the cluster, apply a risk mitigation operation based on the resource availability criterion before deployment of a workload to the cluster, and monitor whether the criterion is satisfied based on data from the probe after deployment of the workload to the cluster.

Abstract: Embodiments described herein are generally directed to the use of sidecars to perform dynamic Application Programming Interface (API) contract generation and conversion. In an example, a first call by a first microservice to a first API of a second microservice is intercepted by a first sidecar of the first microservice. The first API is of a first API type of multiple API types and is specified by a first contract. An API type of the multiple API types is selected by the first sidecar. Responsive to determining the selected API type differs from the first API type, based on the first contract, a second contract is generated by the first sidecar specifying a second API of the selected API type; and a second sidecar of the second microservice is caused to generate the second API and internally connect the second API to the first API based on the second contract.

Abstract: Embodiments described herein are generally directed to intelligent management of microservices failover. In an example, responsive to an uncorrectable hardware error associated with a processing resource of a platform on which a task of a service is being performed by a primary microservice, a failover trigger is received by a failover service. A secondary microservice is identified by the failover service that is operating in lockstep mode with the primary microservice. The secondary microservice is caused by the failover service to takeover performance of the task in non-lockstep mode based on failover metadata persisted by the primary microservice. The primary microservice is caused by the failover service to be taken offline.

Abstract: Various systems and methods are described for implementing cloud-to-edge (C2E) security are disclosed, including systems and methods for the execution of various workloads that are distributed among multiple edge computing nodes. An example technique for managing distributed workloads includes: identifying characteristics of a distributed workload from an execution of the distributed workload, for a distributed workload that is partitioned among multiple computing nodes; evaluating a trust status of the distributed workload in response to a change in the execution of the distributed workload, including verifying resources to execute the distributed workload and verifying security policies associated with the resources; and controlling the execution of the distributed workload among the multiple computing nodes, based on the characteristics and the evaluated trust status.

Abstract: A named function network (NFN) system includes a routing node, a function generation node, and a server node. The routing node receives requests for new functions, the requests including data values for generating the new functions. The function generation node receives the data values from the routing node and generates a new function for the NFN using the data values. The server node receives a request from the routing node to execute the new function, executes the new function, and transmits results of the execution to the routing node.

Abstract: An apparatus to facilitate at-scale telemetry using interactive matrix for deterministic microservices performance is disclosed. The apparatus includes one or more processors to: receive user input comprising an objective or task corresponding to scheduling a microservice for a service, wherein the objective or task may include QoS, SLO, ML feedback; identify interaction matrix components in an interaction matrix that match the objective or tasks for the microservice; identify knowledgebase components in knowledgebase that match the objective or tasks for the microservice; and determine a scheduling operation for the microservice, the scheduling operation to deploy the microservice in a configuration that is in accordance with the objective or task, wherein the configuration comprises a set of hardware devices and microservice interaction points determined based on the interaction matrix components and the knowledgebase components.

Abstract: An apparatus to facilitate provenance audit trails for microservices architectures is disclosed. The apparatus includes one or more processors to obtain provenance metadata for a microservice from a local blockchain of provenance metadata maintained for the hardware resource executing a task performed by the microservice, the provenance metadata comprising identification of the microservice, operating state of at least one of a hardware resource or a software resource used to execute the microservice and the task, and an operating state of a sidecar of the microservice during the task; access one or more policies established for the microservice; analyze the provenance metadata with respect to the one or more policies to identify if there is a violation of the one or more policies; and generate one or more evaluation metrics based on whether the violation of the one or more policies is identified.

Abstract: An architecture to allow Multi-Access Edge Computing (MEC) billing and charge tracking, is disclosed. In an example, a tracking process, such as is performed by an edge computing apparatus, includes: receiving a computational processing request for a service operated with computing resources of the edge computing apparatus from a connected edge device within the first access network, wherein the computational processing request includes an identification of the connected edge device; identifying a processing device, within the first access network, for performing the computational processing request; and storing the identification of the connected edge device, a processing device identification, and data describing the computational processes completed by the processing device in association with the computational processing request.

Abstract: Various approaches for deployment and use of configurable edge computing platforms are described. In an edge computing system, an edge computing device includes hardware resources that can be composed from a configuration of chiplets, as the chiplets are disaggregated for selective use and deployment (for compute, acceleration, memory, storage, or other resources). In an example, configuration operations are performed to: identify a condition for use of the hardware resource, based on an edge computing workload received at the edge computing device; obtain, determine, or identify properties of a configuration for the hardware resource that are available to be implemented with the chiplets, with the configuration enabling the hardware resource to satisfy the condition for use of the hardware resource; and compose the chiplets into the configuration, according to the properties of the configuration, to enable the use of the hardware resource for the edge computing workload.

Abstract: Various approaches for implementing platform resource management are described. In an edge computing system deployment, an edge computing device includes processing circuitry coupled to a memory. The processing circuitry is configured to obtain, from an orchestration provider, an SLO (or SLA) that defines usage of an accessible feature of the edge computing device by a container executing on a virtual machine within the edge computing system. A computation model is retrieved based on at least one key performance indicator (KPI) specified in the SLO. The defined usage of the accessible feature is mapped to a plurality of feature controls using the retrieved computation model. The plurality of feature controls is associated with platform resources of the edge computing device that are pre-allocated to the container. The usage of the platform resources allocated to the container is monitored using the plurality of feature controls.

Abstract: Systems and techniques for AI model and data camouflaging techniques for cloud edge are described herein. In an example, a neural network transformation system is adapted to receive, from a client, camouflaged input data, the camouflaged input data resulting from application of a first encoding transformation to raw input data. The neural network transformation system may be further adapted to use the camouflaged input data as input to a neural network model, the neural network model created using a training data set created by applying the first encoding transformation on training data. The neural network transformation system may be further adapted to receive a result from the neural network model and transmit output data to the client, the output data based on the result.

Abstract: Software and other electronic services are increasingly being executed in cloud computing environments. Edge computing environments may be used to bridge the gap between cloud computing environments and end-user software and electronic devices, and may implement Functions-as-a-Service (FaaS). FaaS may be used to create flavors of particular services, a chain of related functions that implements all or a portion of a FaaS edge workflow or workload. A FaaS Temporal Software-Defined Wide-Area Network (SD-WAN) may be used to receive a computing request and decompose the computing request into several FaaS flavors, enable dynamic creation of SD-WANs for each FaaS flavor, execute the FaaS flavors in their respective SD-WAN, return a result, and destroy the SD-WANs. The FaaS Temporal SD-WAN expands upon current edge systems by allowing low-latency creation of SD-WAN virtual networks bound to a set of function instances that are created to a execute a particular service request.

Abstract: A system for trust brokering as a service includes an edge computing node and a trust brokering service edge computing device. The trust brokering service edge computing device receives a computing workload request from an application configured to process secure data and identifies a set of security requirements associated with the request. The device also identifies a security feature present in the set of security requirements but not provided by the edge computing node. To address this, the device generates an application execution environment that includes a secure plugin providing the security feature and a virtual device representing the edge computing node. The computing workload request is then executed at the application execution environment, providing a secure and efficient solution for trust brokering as a service.

Abstract: An apparatus to facilitate provenance audit trails for microservices architectures is disclosed. The apparatus includes one or more processors to: obtain, by a microservice of a service hosted in a datacenter, provisioned credentials for the microservice based on an attestation protocol; generate, for a task performed by the microservice, provenance metadata for the task, the provenance metadata including identification of the microservice, operating state of at least one of a hardware resource or a software resource used to execute the microservice and the task, and operating state of a sidecar of the microservice during the task; encrypt the provenance metadata with the provisioned credentials for the microservice; and record the encrypted provenance metadata in a local blockchain of provenance metadata maintained for the hardware resource executing the task and the microservice.